Padlocked

Protecting you from cybercrime, one step at a time.

Below this is were the further explanation of this website resides! If you want to know more about the website, or need access to the pages, please select the link to the page below!

    Common Cyberattacks: Command & Control

    What is Command & Control?
    Also known as C&C, Command and Control is when cybercriminals begin communications with compromised devices within a target company’s network. Attackers use servers to send commands and receive data from compromised devices, and attackers can use the server to perform various malicious actions on the target network, such as data discovery, malware spreading, or Denial of Service attacks.

    Stages of Command & Control Attacks
    Each C&C attack follows the same set of stages:

    • Point of Entry: Attacks launched penetrate the target network via malware. They would use common delivery methods, including phishing emails, drive-by downloads and vulnerability exploits.
    • Establishing Connections: After infiltration, the attacker uses channels to instruct and control compromised machines and malware in the network.
    • Movement & Persistence: Inside the network, attackers compromise additional machines to harvest credentials, escalate privilege levels, and maintain persistent control over the compromised network.
    • Discovering Data: The attacker employs several techniques to identify valuable servers and systems that contain high-value data.
    • Exfiltrating Data: The cybercriminal funnels the stolen data to an internal staging server where it is compressed and often encrypted, to then be transmitted to external locations.


    Signs of Command & Control Attacks
    Organizations can look out for malicious network communications via network packets and examining for C&C configuration patterns, such as the following:

    • Known C&C URL pathing
    • Suspicious packet headers
    • Suspicious network communications
    • Unusual ports and protocols


    Mitigating and Preventing Command & Control Attacks
    Organizations should take proactive steps to ensure they can detect C&C activities by using security tools that provide the following capabilities:

    • Scanning and Filtering Traffic: Because C&C channels frequently mix in with valid domain name system (DNS) data, inspecting incoming and outgoing traffic is essential for detecting suspicious activities such as unlawful network traffic encryption (often used in DNS tunnelling operations) and traffic to unfamiliar servers.
    • Monitoring Suspicious Behaviour: Abnormalities in traffic might indicate an infected workstation or malware activity. You’ll also want to ensure your tool’s suspicious activity monitoring features can detect attempts to transfer large data files from your systems.
    • Scanning Networks with Endpoint Protection: By using battle-tested endpoint protection — ideally endpoint detection and response (EDR) — you can discover and eradicate malware activities from your host computers. Doing so deletes the virus that would be used to communicate with C&C servers, which impedes the covert route of communication.